cybergate | b1a3c03cc36efebc04639fc91d4a480c3ffaa77e21fbff2c522c47b420275242

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2024, 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Size

332KB
MD5

c26dff584da6fa4945be74b82f5fbe2d
SHA1

779c1d4bcc756796fcf8af5cb0b098203aaa8f4a
SHA256

b1a3c03cc36efebc04639fc91d4a480c3ffaa77e21fbff2c522c47b420275242
SHA512

5d8e1d09f2d2ce3b62eb6db52835f7d2a35525f43c3632ec91b5baeaf5d6c07bd3c7cda1c73d5bff5c3253eeb5b20f7b1dc94e8c9269459a02d943d5ae0ae5e7
SSDEEP

6144:NwXsSeyekYXEdR8RyGqZH2XA6+/4UWtTS/FB6UVcYIOcRu5+B:NwXQTl0d0yZWUwUWtG/X6gJcRu5

Score

10^/10

cybergate mrbombastic discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.01.18

Botnet

mrbombastic

mrbombastic.no-ip.biz:8000

Mutex

CyberGate1

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
winlog
install_file
winlogon.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
gonzalek55
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\winlog\\winlogon.exe"	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\winlog\\winlogon.exe"	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{80C5EG22-OU27-Q5DF-I4Q7-SMY606WT134K}	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80C5EG22-OU27-Q5DF-I4Q7-SMY606WT134K}\StubPath = "C:\\Windows\\system32\\winlog\\winlogon.exe Restart"	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{80C5EG22-OU27-Q5DF-I4Q7-SMY606WT134K}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80C5EG22-OU27-Q5DF-I4Q7-SMY606WT134K}\StubPath = "C:\\Windows\\system32\\winlog\\winlogon.exe"	explorer.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0008000000023c55-3.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
3144	winlogon.exe
488	winlogon.exe
2196	winlogon.exe

Loads dropped DLL 6 IoCs

pid	Process
2072	regsvr32.exe
2504	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2708	regsvr32.exe
3144	winlogon.exe
488	winlogon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\winlog\\winlogon.exe"	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\winlog\\winlogon.exe"	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\winlog\winlogon.exe	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winlog\	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\BI1I7JC8Gl.txt	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\BI1I7JC8Gl.txt	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\winlog\winlogon.exe	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winlog\winlogon.exe	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2504 set thread context of 2976	2504	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	84
PID 2976 set thread context of 2284	2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	85
PID 3144 set thread context of 488	3144	winlogon.exe	94
PID 488 set thread context of 2196	488	winlogon.exe	95

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023c55-3.dat	upx
behavioral2/memory/2072-5-0x0000000011000000-0x000000001100B000-memory.dmp	upx
behavioral2/memory/2504-7-0x0000000011000000-0x000000001100B000-memory.dmp	upx
behavioral2/memory/2976-8-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2976-10-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2976-12-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2976-11-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2976-16-0x0000000011000000-0x000000001100B000-memory.dmp	upx
behavioral2/memory/2284-17-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/2284-19-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/2284-21-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/2284-20-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/2976-24-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2284-27-0x0000000024010000-0x000000002406F000-memory.dmp	upx
behavioral2/memory/2284-28-0x0000000024010000-0x000000002406F000-memory.dmp	upx
behavioral2/memory/2284-31-0x0000000024070000-0x00000000240CF000-memory.dmp	upx
behavioral2/memory/2284-163-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral2/memory/2708-187-0x0000000011000000-0x000000001100B000-memory.dmp	upx
behavioral2/memory/3144-189-0x0000000011000000-0x000000001100B000-memory.dmp	upx
behavioral2/memory/488-196-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/488-200-0x0000000011000000-0x000000001100B000-memory.dmp	upx
behavioral2/memory/488-209-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2196-212-0x0000000000400000-0x0000000000454000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
File opened for modification	C:\Windows\	winlogon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{263AF176-4B2A-4251-88B8-1A76352224F6}\ProgID\ = "PotDll.PotGo"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEBF528D-7F75-403F-8FE5-F21F4C4259C5}\ProgID\ = "free.BG08iJ1ijADIlIFl01LgL8"	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEBF528D-7F75-403F-8FE5-F21F4C4259C5}\LocalServer32	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}\ = "_PotGo"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PotDll.PotGo\Clsid\ = "{263AF176-4B2A-4251-88B8-1A76352224F6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{263AF176-4B2A-4251-88B8-1A76352224F6}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8453F58-57DF-4390-92D9-65431054C820}\TypeLib\ = "{20A80AC3-CA63-4C97-9009-2FA7802E0005}"	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{263AF176-4B2A-4251-88B8-1A76352224F6}\VERSION\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{263AF176-4B2A-4251-88B8-1A76352224F6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8453F58-57DF-4390-92D9-65431054C820}\ProxyStubClsid32	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8453F58-57DF-4390-92D9-65431054C820}\ = "BG08iJ1ijADIlIFl01LgL8"	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{263AF176-4B2A-4251-88B8-1A76352224F6}\ = "PotDll.PotGo"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8453F58-57DF-4390-92D9-65431054C820}	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEBF528D-7F75-403F-8FE5-F21F4C4259C5}\ = "free.BG08iJ1ijADIlIFl01LgL8"	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{446C607A-D2CA-4BC5-9A69-053B2D198576}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{263AF176-4B2A-4251-88B8-1A76352224F6}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{263AF176-4B2A-4251-88B8-1A76352224F6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20A80AC3-CA63-4C97-9009-2FA7802E0005}\1.0\FLAGS	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8453F58-57DF-4390-92D9-65431054C820}\TypeLib\Version = "1.0"	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PotDll.PotGo	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}\ = "_PotGo"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PotDll.PotGo\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{263AF176-4B2A-4251-88B8-1A76352224F6}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20A80AC3-CA63-4C97-9009-2FA7802E0005}\1.0	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{263AF176-4B2A-4251-88B8-1A76352224F6}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8453F58-57DF-4390-92D9-65431054C820}\ProxyStubClsid	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}\ = "_PotGo"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{263AF176-4B2A-4251-88B8-1A76352224F6}\VERSION	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PotDll.PotGo	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20A80AC3-CA63-4C97-9009-2FA7802E0005}\1.0\0	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PotDll.PotGo\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D8453F58-57DF-4390-92D9-65431054C820}\TypeLib	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\free.BG08iJ1ijADIlIFl01LgL8\ = "free.BG08iJ1ijADIlIFl01LgL8"	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8453F58-57DF-4390-92D9-65431054C820}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{446C607A-D2CA-4BC5-9A69-053B2D198576}\1.0\ = "PotDll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{446C607A-D2CA-4BC5-9A69-053B2D198576}\1.0\HELPDIR\ = "C:\\Windows\\system32"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8453F58-57DF-4390-92D9-65431054C820}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{446C607A-D2CA-4BC5-9A69-053B2D198576}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}\TypeLib\ = "{446C607A-D2CA-4BC5-9A69-053B2D198576}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEBF528D-7F75-403F-8FE5-F21F4C4259C5}\TypeLib	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{263AF176-4B2A-4251-88B8-1A76352224F6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PotDll.PotGo\Clsid\ = "{263AF176-4B2A-4251-88B8-1A76352224F6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEBF528D-7F75-403F-8FE5-F21F4C4259C5}\VERSION	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8453F58-57DF-4390-92D9-65431054C820}\ = "_BG08iJ1ijADIlIFl01LgL8"	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EEBF528D-7F75-403F-8FE5-F21F4C4259C5}\TypeLib\ = "{20A80AC3-CA63-4C97-9009-2FA7802E0005}"	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}\TypeLib\ = "{446C607A-D2CA-4BC5-9A69-053B2D198576}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{263AF176-4B2A-4251-88B8-1A76352224F6}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{054F05BB-5C2C-451F-A204-299C6F648A16}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20A80AC3-CA63-4C97-9009-2FA7802E0005}	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{446C607A-D2CA-4BC5-9A69-053B2D198576}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\BI1I7JC8Gl.txt"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\free.BG08iJ1ijADIlIFl01LgL8\Clsid	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\free.BG08iJ1ijADIlIFl01LgL8	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
488	winlogon.exe
488	winlogon.exe
488	winlogon.exe
488	winlogon.exe
488	winlogon.exe
488	winlogon.exe
488	winlogon.exe
488	winlogon.exe
488	winlogon.exe
488	winlogon.exe
488	winlogon.exe
488	winlogon.exe
488	winlogon.exe
488	winlogon.exe
488	winlogon.exe
488	winlogon.exe
488	winlogon.exe
488	winlogon.exe
488	winlogon.exe
488	winlogon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4052	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4052	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
Token: SeDebugPrivilege	4052	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2504	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
3144	winlogon.exe
488	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2072	2504	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	83
PID 2504 wrote to memory of 2072	2504	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	83
PID 2504 wrote to memory of 2072	2504	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	83
PID 2504 wrote to memory of 2976	2504	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	84
PID 2504 wrote to memory of 2976	2504	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	84
PID 2504 wrote to memory of 2976	2504	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	84
PID 2504 wrote to memory of 2976	2504	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	84
PID 2504 wrote to memory of 2976	2504	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	84
PID 2504 wrote to memory of 2976	2504	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	84
PID 2504 wrote to memory of 2976	2504	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	84
PID 2504 wrote to memory of 2976	2504	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	84
PID 2976 wrote to memory of 2284	2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	85
PID 2976 wrote to memory of 2284	2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	85
PID 2976 wrote to memory of 2284	2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	85
PID 2976 wrote to memory of 2284	2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	85
PID 2976 wrote to memory of 2284	2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	85
PID 2976 wrote to memory of 2284	2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	85
PID 2976 wrote to memory of 2284	2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	85
PID 2976 wrote to memory of 2284	2976	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	85
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56
PID 2284 wrote to memory of 3412	2284	c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3412
- C:\Users\Admin\AppData\Local\Temp\c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 /s C:\Windows\system32\BI1I7JC8Gl.txt
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2072
- - C:\Users\Admin\AppData\Local\Temp\c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Users\Admin\AppData\Local\Temp\c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2284
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:4852
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1512
    - - C:\Users\Admin\AppData\Local\Temp\c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\c26dff584da6fa4945be74b82f5fbe2d_JaffaCakes118.exe"
        5⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:4052
      - C:\Windows\SysWOW64\winlog\winlogon.exe
        
        "C:\Windows\system32\winlog\winlogon.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3144
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s C:\Windows\system32\BI1I7JC8Gl.txt
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\winlog\winlogon.exe
        
        C:\Windows\SysWOW64\winlog\winlogon.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:488
        
        C:\Windows\SysWOW64\winlog\winlogon.exe
        
        C:\Windows\SysWOW64\winlog\winlogon.exe
        8⤵
        Executes dropped EXE
        
        PID:2196

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
219KB

MD5
7a505edefb4463e4f057829a74be2a86

SHA1
d53cd2d68f213516924d6019a4d65dc3d1081dab

SHA256
447b0073c12bffd612dfabd484ca57795831ba3cb93b8216e2ea7ef8e0f12f16

SHA512
209fcbd970625db8195630767693c095843a5e0d3a1a17b5c20ef3350de62078cdf490a13844e6817dbecceaae0de347a161df64aebe9771700f9314631ea987

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
592f56d78aa739e0fdef4958e25a03f7

SHA1
2df00248b8b2d894953d04b7827cfa0c11d43d5a

SHA256
73721620c8f649ecd0e39f6cbe63547b603418c3b72537a4b2779fb69a2285c0

SHA512
43a6aaa77ad04d975e7814b0a64a121881b938ce76542e38db13b2a04a4cdd559fe1bec7af365c9561f473137742d5e92ac0d636b57ece31e458aa8d407d1bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
00ff77d9c4f611cfdde1559a635e6b8b

SHA1
24929ad62ef1c438de64ebd9aa4d79a4c85ec5cc

SHA256
88abed84ac64f3e914029d9779de08193458fe395ff11b588978003eb2123fab

SHA512
6ee4e6c60d4efac9c636348514d672036864e1fbea09d60c6952bbf96271f59d7410ab0e4d3f782529f31b4e3016e2803afc9be9e70485d6b3f54da1ed68de64

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
2485b9601332032dde3f6f812535582c

SHA1
10cc28ce535e6b4764ab435a49a8e67e7b6c8671

SHA256
894137966fc075613c2aaa732675553877884d09b8c8d8813bc01b85de770c16

SHA512
ae41a846f8ebf9f1d5ed757fa05386a80932965bed9c51d4db6216beafb9626425bda52240addeea6f208bedf986c12b1915ff0c3cc1a54aa3c0862360f172b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
08f569b26575b66db78d748011c350a0

SHA1
65d0123aba4a6f1274242f41528db19c38e7d069

SHA256
b764476064100d3c8e876379dbcb11d44120c583647c1d5e716c99a9b52bc35b

SHA512
bc56c480f97ac40cd7babea2f6a65005b16183a29bf069820c48e4d15c1e817800b0e0273a3ef6c586c142cbbd3e3fda26277d1e7f6e0d7f11b81edeb04f88c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
6bb5de8eb352efb106dfcced55ceae85

SHA1
47752ecf0f3a369286884c03b4b8992c66db47be

SHA256
1c5398b190633df945da3c0ec19f0f072d09bedfc97fa62b20a5e6d8d9ed2ad6

SHA512
b4238c1b2fe97a3ce04bbf7cc50363fb99cb7b8f804ff0521dc2883f6e1bbaa00fdb7760697b980c088cc730a9c57df0d0e13fac5c770f4d611ea8e2c2755861

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
27e4d55692b85c7d4bd2ea7de037d7b9

SHA1
b5f506c48b4c2a0887acbe0c5221ebb1b563ef61

SHA256
d82f3cca69a02872f1d45dd3eb87a192da0c8876d5a2de72b5d2e95767ee03a2

SHA512
8da03fced2e077bfd7b66f6e432bdeff88d6d0f96252537119623b336f77b4f497d2f5989fb101cf5c31746686528de0b45f7a0305cf09b6973ab2361292be9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3fcab2da3bd138bce5c1153d7c2f8f37

SHA1
f917d830610400b8b4599bc21ede62efc7ccf89e

SHA256
6e2b8e61d94970bcd9904de21db4316570ab8301d96521eb19a71390a6720e00

SHA512
c973ff9f05753ec1b0d15cc4f49c0f6bdc5e561f3d8ff04537d50473ee41d7c17acd29e51a024bef0322cb704720a03a7863096089fe3c1cf43d050325687929

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
d1b16ef8daa4d661482afd651c56f549

SHA1
7df30d6a64eb813868e76310902739cc03796e06

SHA256
b72c3923b05ead3968b72610a63e600ea5418a425ce54edf3e262696d62dc788

SHA512
50650b493d80ec7d6f1b989b34d6d7847d34c62bb1382e8cb4364e35a1b90a90aca76c846c2a3b2d2cff712dbb644c9f767d48207c7f9f5cf706dd2d68ca68d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
7d51f88a36a3a0fec5d1682ddd58b312

SHA1
88936cba8b2b7d506581745eb79c7105610f26d3

SHA256
7d634654f4987ab8f5599f0d2473d9511a00ac08601c9177348f6d39c47cdf45

SHA512
77e5e27d6c4dfa88c1bd6e669be41f68e73e8221cec1767931aa8006cc1115f8a5bb235d7f3ca3529547644949484aba1ec64ccfcf55579ecb7a8c4294ff9241

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
e2ad0eb55a4174bf09bc1fdc182ab070

SHA1
78c453faf8d33c09a8b3c1f3a633c89920e56a16

SHA256
176a33ea732d3a53b26b48c9e1e677e343c3fe41c3363cb85454afdab8919fff

SHA512
dc14a9de8ba22ace9d1e7c3ab925c3c45ff1aa09363d27b52eed118a5cbd170ad60e82786c5f8a58799c7f0b02ba68251479ee42bd3418640b19e11336c31f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
b841ba3408c25323b7496e135c19d607

SHA1
6376f109224d71e810f2cb1e50e05119e3ddd561

SHA256
07e2d8461acde7f253b4ab68563deee4ffc65dd3bf3a923a4db74502873584a1

SHA512
33ea5e2db62d8499da67afadd5993e212db2d521b0aa8a34bb190f89e49dd17cd46371632687ec82a8200d9a5443777391e74b85084d72573458f147fe2c88e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
8fe850cc0b87d3bb7e2fb175fdfbade7

SHA1
6d5543e3af6aebb51937144e5911c73359e6161e

SHA256
78048e20f61ab78da603245d2c5fb295d3833301f9b1d0ae380b00d6daefcb1e

SHA512
2de6986734d2efe82f8af1bbdb02d63856ac0062e4c7d22377ba7d2384bfb9fdf95f2034aa99a92f919f8758c1f0405dacf33f734ac178f4c1e043a73683ea3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
9877e11cb05d8c0c1f5b1126a575eb17

SHA1
0e2fb77621b6c9e320e6517b548b3b3f892f0782

SHA256
911eedb854d0789bdea92c38868a73e0bc1749fcbaeefd39b44530ada71bf434

SHA512
ab982e45083a2a9125d9c2fbd5e3de915408f16de4211306074b1add8bdc00df37cb4a1ca72682007d358d13a9a84836e99761e6c7874e85182a4dc9658c338f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
47d0b619efebb3baa6f5da5d3fc72694

SHA1
5d74b00eb9ffecd76f5fe14ab42ba6e1f814439a

SHA256
73ee403b8b7c2e73a41e0ac1b1cd62eb8c2203af05c0e28f90b4a103a0dc5bff

SHA512
9abcf5297598c87317639b44840d30774412bb940663f1e835ea197ad93427614db39cc87d7b95ed02ed99c90d56c1dfac726e159fa0465414afd845ff5dd6a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
58d1efe333530c0889e6f03aec9c17f1

SHA1
baf51642f44c5743d9fe770b4b874f2194be4f43

SHA256
684d89a79f8127fdf346044b6e9f2bbac5478c3f9dba5970a9a0c65fdf53e612

SHA512
169a4175454f82f6d2b696c05512cae23c95f795688bcac0bcd618bc68ab34e6671371a26eedaabfd6a2527fbf8c9f94dc3ecdaf514e5bb74bbf0513311f1055

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
1abab65dcd046617bed6c7b2ee21e0df

SHA1
d48e014f646c790da914a7b995d44305d74bdc2e

SHA256
8280978119b75b85aa453c081d278d0f6f09f1de37557c74c1d87e86f149ae30

SHA512
1a2383f8e0ec243fe5b20ed2754c09b6742ce261e8c55b53f51e8e1724c49665c2fecd2e7c8cf18a766ec13d08fdd204fc5beb00a00d0480362b7b6dec995f4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
3937dfa3a119e35271a66b4d804a14a8

SHA1
6ed32de10a5cf59335e41afc1783c06bc5844e84

SHA256
661a61a6ba820d5a4ba5af10312f5d6d242a9ddc1d3696693153648bb3fd9f48

SHA512
8568b0660a7c0406f66a4db940e217a0ed47e07f93b51c208d0a445a015f9e7af231c53d489f49bfa79fd9cc1b28fe8d8463c6a86f9e14a37ab97712a4771d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XxX.xXx

Filesize
8B

MD5
10854a9ed1bfcbdd98cc83ba2b5a8f33

SHA1
f75ca2b598303db39210b0e9e057aff840f9ff8c

SHA256
2cdf5f73281e29e9781258f29e57565a086c71a338bbf5be36dbd70d2d12d610

SHA512
3f7d319cebb8bea1c03d2d06d71edb0385a4ccf5adcf3d0ce6409681be271410be1ffdaebf4187f0d4108120208490d956317ac9e820c178431f822391b7bfdf

Download Submit
C:\Users\Admin\AppData\Roaming\logs.dat

Filesize
15B

MD5
bf3dba41023802cf6d3f8c5fd683a0c7

SHA1
466530987a347b68ef28faad238d7b50db8656a5

SHA256
4a8e75390856bf822f492f7f605ca0c21f1905172f6d3ef610162533c140507d

SHA512
fec60f447dcc90753d693014135e24814f6e8294f6c0f436bc59d892b24e91552108dba6cf5a6fa7c0421f6d290d1bafee9f9f2d95ea8c4c05c2ad0f7c1bb314

Download Submit
C:\Windows\SysWOW64\BI1I7JC8Gl.txt

Filesize
9KB

MD5
fcf62896f7784ff1782257d01bb5c605

SHA1
46d320602c12452ced5a8874ee22ddb9fd000aaa

SHA256
83e3f2278e5827ddec15fa7ef2acec927f6a2853b442308e6e807060ac79fbf3

SHA512
74dad8fb7d452e7567242b7b642715fcefc9340a70bad5f454f86564e2e9f776c89e3e7df71e828019849171cd5e3b9e803e06909fe7e9c3024a4fa1abd37484

Download Submit
C:\Windows\SysWOW64\winlog\winlogon.exe

Filesize
332KB

MD5
c26dff584da6fa4945be74b82f5fbe2d

SHA1
779c1d4bcc756796fcf8af5cb0b098203aaa8f4a

SHA256
b1a3c03cc36efebc04639fc91d4a480c3ffaa77e21fbff2c522c47b420275242

SHA512
5d8e1d09f2d2ce3b62eb6db52835f7d2a35525f43c3632ec91b5baeaf5d6c07bd3c7cda1c73d5bff5c3253eeb5b20f7b1dc94e8c9269459a02d943d5ae0ae5e7

Download Submit
memory/488-196-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/488-200-0x0000000011000000-0x000000001100B000-memory.dmp

Filesize
44KB

Download
memory/488-209-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2072-5-0x0000000011000000-0x000000001100B000-memory.dmp

Filesize
44KB

Download
memory/2196-212-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2284-20-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2284-21-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2284-163-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2284-31-0x0000000024070000-0x00000000240CF000-memory.dmp

Filesize
380KB

Download
memory/2284-17-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2284-28-0x0000000024010000-0x000000002406F000-memory.dmp

Filesize
380KB

Download
memory/2284-27-0x0000000024010000-0x000000002406F000-memory.dmp

Filesize
380KB

Download
memory/2284-19-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2504-7-0x0000000011000000-0x000000001100B000-memory.dmp

Filesize
44KB

Download
memory/2708-187-0x0000000011000000-0x000000001100B000-memory.dmp

Filesize
44KB

Download
memory/2976-16-0x0000000011000000-0x000000001100B000-memory.dmp

Filesize
44KB

Download
memory/2976-24-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2976-11-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2976-12-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2976-10-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2976-8-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3144-189-0x0000000011000000-0x000000001100B000-memory.dmp

Filesize
44KB

Download
memory/4852-32-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/4852-33-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download